Click-Jacking Protection

Learn how to protect your Umbraco site from clickjacking attacks using X-Frame-Options and security headers.

Checks if your site is allowed to be IFRAMEd by another site and thus would be susceptible to click-jacking.

How to fix this health check

This health check can be fixed by adding a header before the response is started.

Preferable you use a security library like NWebSec.

Adding Click-Jacking Protection using NWebSec

If you take a NuGet dependency on NWebsec.AspNetCore.Middleware/, you can use third extension methods on IApplicationBuilder.

public class Startup
{
    public void Configure(IApplicationBuilder app)
    {
        app.UseXfo(options => options.SameOrigin());

        ...
    }
}

Adding Click-Jacking Protection using manual middleware

Avoid third-party library dependencies by using custom middleware added to the request pipeline.

public class Startup
{
    public void Configure(IApplicationBuilder app)
    {
        app.Use(async (context, next) =>
        {
            context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
            await next();
        });

       ...
    }
}

Last updated